On 11/24/2010 02:58 AM, coderman wrote:
On Tue, Nov 23, 2010 at 10:43 PM, Marsh Ray<[email protected]> wrote:
....
How about all the weak and insufficiently seeded RNGs out there?
it's more than a little annoying how many accelerated crypto
implementations exist while good entropy is still a scarcity.
why isn't this a native instruction on every architecture?
How would you know if it was working properly? Or backdoored?
How does this feature interact with virtualization? Low power and sleep
states? What about variations in manufacturing process?
How hard is it to define such a thing in standard chip design tools? I
imagine many tools will complain loudly about nondeterministic states.
What if it suddenly stopped working?
It seems like doing a decent test on each unit shipped would add at
least some cost to the part.
Will the chip estimate the amount of entropy it has pooled? How?
Wouldn't you prefer an industrial-strength software entropy pool over a
minimum-possible-area instruction that can never be fully tested?
I think a conscientious designer will want entropy from multiple
sources, so he probably won't trust the chip to do it all for him, but
perhaps it could be used as another input. What sources of entropy are
available to the chip designer that are not also available to a software
EGD?
How many customers would choose your chip instead of the other brand
because of this? Is it worth the risk inherent in any new feature?
How do you market it? How do you keep it from being marketed as
something that it isn't?
If it turned out to be weak, would you have to recall the chips? How
about products containing it?
This sucker got baked into a lot of smart meters, or so I hear:
http://travisgoodspeed.blogspot.com/2009/12/prng-vulnerability-of-z-stack-zigbee.html
Of course, the answer may still be that it's better to have an
instruction for it than not. But the advantages are subtle and hard to
quantify, whereas the costs, complexity, and risks of adding it are
measurable.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
